It was only a few days ago when one of my clients asked me “Should I be worried about this?”
He was referring to an automated email that he’d received telling his that user-xyz had been blocked from his login page after 3 attempts to login with the wrong password.
I told him, “No, that’s a plugin I use to help stop automated hackers from gaining entry to your website.”
He was relieved. But the things is, *every day* hackers are trying to gain entry to your website; whether you use WordPress or not. It’s just that WordPress makes it easier for them!
Today’s guest article has some great ideas (two of which I’d never even thought about) to help WordPress users make their sites just that little bit harder to hack
PS. The plugin I mentioned above is called Limit Login Attempts. Get hold of it here.
WordPress is an amazing piece of software that powers some of the biggest sites online but it’s also a hackers dream. Every day, the “dark side” of the internet is out looking for security gaps so they can hack into WordPress sites for their own benefit.
Maybe they’re planning to install a virus on your site or maybe they just want to swap your advertising over so they earn money from your traffic; whatever the reasons if you’re not properly securing your WordPress-powered sites you’re taking unnecessary risks with your internet empire.
Fortunately, securing your WordPress installation is actually pretty simple, once you know the most common problems experienced. Indeed, there are a number of plugins that will do most of the hard work for you so you can add impressive security to your site in just a short period of time.
Today we’re going to discuss what you should be doing so all your hard work is locked up tighter than Fort Knox.
Move Your Login Page
When you install WordPress, your login page is always set at the same address. Almost without exception you’ll find it located at either:
This means that whilst a hacker may not know your password, they know exactly where to go in order to at least have a try. In fact many hackers use automated software once they find a login page to automatically work through thousands of possible words in the hope that they manage to find the right combination.
Moving your login page to a new address by renaming the page in your web hosting account can make it far harder for indesirables to even locate your login page, let alone correctly guess your username and password.
Choose Complicated Login Credentials
Don’t opt for a username of “admin” or a password of “password” or suchlike. The more complicated you make your login details, the less likely it is that a hacker will guess them. Try using a range of numbers, together with both uppercase and lowercase letters, in seemingly random orders and you’ll really cause hackers problems.
A great tool cane be Roboform, which will not only store complicated passwords for you securely on your computer so you don’t need to remember it every time you need to log in, but even better it has a password generator built in that will create incredibly complex usernames and passwords for you.
Furthermore consider changing your username and password on a regular basis. For example I try to change them whenever I upgrade WordPress, so that if a hacker has been trying to access your site but has failed to get in, they’ll have to start all over again when you make the changes. With Roboform this process takes all of 60 seconds so it’s well worth considering.
Monitor Your Login Page
In cases where a hacker is trying to access your login page with a piece of software there are plugins that will “freeze” your login page. When someone has tried to log in a certain number of times, your login page will simply freeze up and not allow any more attempts for a period of time.
Clearly when you combine this with a complex and regularly-changed password it makes accessing your WordPress site via the admin panel virtually impossible. The most popular free plugin with this purpose is called Login Lockdown and only allows 3 failed attempts before it blocks access to the login page.
Install A Firewall
So if your login page has been secured then your WordPress site should be safe, right? Well, not really. Certainly accessing a site via your control panel is a popular method, but it’s not the only way in which people may try to compromise your site.
Another example is actually exploiting security flaws in the WordPress software itself, or the plugins and themes that you use, to insert new code straight into the database that you use for your site. Many of these attacks start with some investigation by the hacker; then when they have gathered the information they need, they are in a position to begin an attack.
A firewall helps to control this flow of data, and ensures that if certain “red flag” activities occur – which are most likely attributed to potential attacks – then the site locks down and prevents the hacker receiving the information they desire.
One popular example of such a plugin is the WordPress Firewall 2 plugin which is available free of charge and successfully monitors, intercepts and logs any activities on your site that may suggest the action of hackers.
Update Your Site
Hackers are famous for discovering security flaws in WordPress together with the associated plugins and themes that we all use. Fortunately, as soon as these flaws are uncovered, updates are made available to correct these issues.
However this means that it’s essential to keep your site updated. By logging into your admin panel regularly and clicking the “Updates” option in the navigation menu you’ll be able to see exactly what updates are available. It is recommended that you update these files as soon as possible to keep your site in the best of health.
One final topic worth mentioning is the subject of backups. All the above points will go a long way to keeping your site safe and sound, however even then there will still be risks, no matter how small. It is therefore wise to use an automated backup plugin to store a copy of your site in a secure location. In this way, if you ever suffer an attack despite all your best efforts, you can simply reinstall the site from your cloud storage account and you’ll be back up and running in no time.
For advice on selecting the right online backup solution a great place to start is this online storage comparison chart.